The reality of business in any jurisdiction is that the errant or dishonest employee will happen. Likewise, the incidence of unethical management practices or the passing of key, unauthorized information to competitors for personal gain is simply never going to disappear.

As opposed to many consultancies, Corporate Due Diligence and Investigation does NOT typically ecommend an immediate IT forensic or financial forensics audit when such suspicions arise. The turbulence created by such audits cannot always be undone, and an audit that does not reveal true, admissible evidence may often create disastrous legal controversy, especially in the face of very pro-employee work laws on the books throughout the CIS and CEE.

That said, there is a time and place for forensics audits. Usually, such are recommended following discreet external and internal OSINT and HUMINT phases to determine the true nature of alleged infractions. Once the likelihood of such infractions are at least partially confirmed and once the true issues of an investigation are narrowed down to achievable goals our financial and IT forensics teams will step in.

Such a conservative approach protects you in the following fashion:

It guards you from perceived wrongful accusations that whether true or not may still be used against you in employers court/civil litigation.

It enables deeper knowledge of purported infractions prior to expensive IT and financial forensics audits, thus allowing the creation of strategies ranging from legal prosecution to pre-emptive defense to negotiation and crisis PR.

The deep and discreet investigations prior to forensics will enable you to avoid taking on too much risk with regard to data protection law.

In the end, narrowing down final targets for internal forensics audits will save you money

In practice, CDDI typically gets three types of requests:

Scenario 1: Accounts and money has been diverted from the company. Although most assume that criminals have simply "hacked into the system," often there is someone inside a company who has leaked information. Based on such information, criminals then (and much more effectively) hack into a company's IT system using very specific information that allows a true social engineering scam--i.e. the diversion of funds.

The following is a typical investigator approach to such a scenario (please keep in mind that all such scenarios differ, and approaches must be appropriately tailored to address a specific crime. Such an approach is often recommended after an external inquiry/detective investigation.

1a. Analysis of the
security level of the computers and servers (serving mail server, vpn access, the network, etc.) is undertaken.

1b. Identification of
people with access to computers, servers. Investigative activities are targeted to identify those behavior over longer periods (not limited to
the incident itself).

1c. Identification of
persons with access to services, such as email accounts, VPN, etc. Follow-up IT surveillance is also undertaken to characterize the behavior of these individuals.

1d.
Forensics unit investigations are then undertaken, which typically include:

﻿A. The creation of forensics copies of computer hard
drives 1 to 1 (cloning)B. Hard disk copying of servers 1
to 1 (cloning)C. Making a hard disk backups for 1 to
1 backups (cloning)D. Sealing computersE. Investigative activities
performed on running systems (depending on the situation)F. Investigative activities
carried out in the investigating laboratory

1e. At this point, investigators are prepared to realize the report in terms of:

A. Preparations for the attack
(incident description)B. Persons involved in the
incident (company personnel or hacker or both)B. How the attack was undertakenC. Evidence submissionD. A proposal to counter similar situations

Scenario 2: A company president or vice president or
director is sending sensitive information to a competitor (and getting paid or
being promised a job). In such a situation the client often wants scans of emails/laptops, etc.

Here the primary investigative activities
are conducted on the computer used by person involved in the incident. Nevertheless,
the mail server and all services provided by the company, which are used to
transmit information from/to the company must also be checked. Actions generally
apply to a single unit and server and roughly represent the following:2a. Identification of
persons with access to said computer or server. Investigative activities are thus undertaken
determine the behavior of a person over a long period of time (not limited to
the incident itself).2b. Identification of persons with access to certain IT services present in the company, including
email accounts and services that can be used to send information out of the company domain.
Investigative activities here are focused to illustrate a person's behavior over a longer period of
time (not limited to the incident itself).2d. Forensics unit
investigations include the following:

A. Creating a forensics copy of the computer hard drive 1 to 1
(cloning)B. Copying the server disk 1 to 1(cloning)C. Creating a copy of the backup disk 1 to 1(cloning)D. Sealing ComputersF. Investigative activities, which are then carried out
in the investigating laboratory

2e. Once the above information is gathered, investigators realize the report in terms of:

A. Proceedings (history of the
incident)B. Evidence submissionC. Proposals to counteract similar scenarios

Scenario 3: Cyber security--clients wish to increase the level of
security in their company or for their personal needs. In such a scenario, the following actions are performed.

3a.
Consultation with the IT department of the company to gain information how IT
infrastructure works in company, including the security policy, the internal
network and connection to Internet services.

3b. An
environmental interview with the company's employees in order to establish threat level and dangerous behavior related to the use of computers, including interviews and the introduction of
socio-threat prevention.